New trojan makes you think Facebook and Google want your bank details

Ever tried to log into your Facebook or Google account, only to be asked to enter your credit card details? Of course the two most popular websites in the world would be a prime target for anyone looking to plant some malware, but according to a new study, it’s getting more difficult to detect the threats.

The latest report from cybercrime security company ThreatMetrix describes how a new version of the Zeus Trojan is targeting Facebook and Gmail log in pages in order to trick their users into submitting their credit and bank account details.

Users log into their Gmail or Facebook accounts via a page that looks “normal”, but instead of continuing to their newsfeed or inbox, they’re confronted with a new page. These pages look like legitimate versions of the standard Facebook and Google pages, and include the type of accreditation badges you’d expect on an ecommerce site, like one from antivirus provider Norton, but they are actually designed to steal banking details.

“The latest Zeus variant catches victims off-guard by waiting to attack until after a website’s login page appears to be functioning normally,” explains ThreatMetrix’s Andreas Baumhof. “After the victim logs in, the Zeus Trojan attempts to steal confidential information.” The new variant of the trojan also encrypts its configuration file, making it difficult to detect automatically.

Some of the scams offer (relatively) believable reasons as to why they are requesting your account details, like suggesting that entering your information will allow you to purchase Facebook credits or easily make payments on online stores using your Google account.

Facebook and Google aren’t the only sites which have been affected by the new variant of the trojan: financial institutions from the US to Australia have also become targets, as have online retailers. Some banks in Italy have been affected by a script which adjusts clients’ bank balances so they’re not aware their money has been stolen. Online stores have been compromised too, again by a window which looks genuine. For example, during the final stages of a purchase, after the customer has entered their payment details, a popup will appear asking them to verify their card number. If they enter it again, they’re submitting their details to cybercriminals, not the store.

“What puts social media websites, financial institutions, online retailers, and payment processers at such high risk with this particular variant of the Zeus trojan is that all of the fraudulent pages and windows described in the report appear legitimate to most users,” said Baumhof. “Pages include the branding and messaging typical to each of the industries the cybercriminals are targeting. They are even personalised with the victim’s name.”